Resubmissions
25-06-2021 19:11
210625-5pemrnaw72 817-01-2021 18:28
210117-75pm951t9e 830-12-2020 13:22
201230-xn7db4f1zn 8Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
freebobux.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
freebobux.exe
Resource
win10v20201028
General
-
Target
freebobux.exe
-
Size
779KB
-
MD5
794b00893a1b95ade9379710821ac1a4
-
SHA1
85c7b2c351700457e3d6a21032dfd971ccb9b09d
-
SHA256
5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
-
SHA512
3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CLWCP.exepid process 3928 CLWCP.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CLWCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" CLWCP.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 95 IoCs
Processes:
taskmgr.exepid process 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1396 taskmgr.exe Token: SeSystemProfilePrivilege 1396 taskmgr.exe Token: SeCreateGlobalPrivilege 1396 taskmgr.exe -
Suspicious use of FindShellTrayWindow 108 IoCs
Processes:
sndvol.exetaskmgr.exepid process 2092 sndvol.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe -
Suspicious use of SendNotifyMessage 108 IoCs
Processes:
sndvol.exetaskmgr.exepid process 2092 sndvol.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe 1396 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
freebobux.execmd.exedescription pid process target process PID 1308 wrote to memory of 552 1308 freebobux.exe cmd.exe PID 1308 wrote to memory of 552 1308 freebobux.exe cmd.exe PID 1308 wrote to memory of 552 1308 freebobux.exe cmd.exe PID 552 wrote to memory of 3928 552 cmd.exe CLWCP.exe PID 552 wrote to memory of 3928 552 cmd.exe CLWCP.exe PID 552 wrote to memory of 3928 552 cmd.exe CLWCP.exe PID 552 wrote to memory of 1456 552 cmd.exe WScript.exe PID 552 wrote to memory of 1456 552 cmd.exe WScript.exe PID 552 wrote to memory of 1456 552 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\freebobux.exe"C:\Users\Admin\AppData\Local\Temp\freebobux.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\freebobux.bat""2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\CLWCP.execlwcp c:\temp\bg.bmp3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\x.vbs"3⤵
-
C:\Windows\system32\sndvol.exe"C:\Windows\system32\sndvol.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\bg.bmpMD5
2229bdea09783e544015db10917ea91c
SHA19d8fd01f98f6de2f2889bc441847f25146190660
SHA25613ff1d9aee82f15e4df8621c0b68ca31844bea8a0a5e5b194dfeabac7a646521
SHA512c1abd12398bf749fcc07de144ada40e23985cde634d7ba756f0199614ec4eec918c706f0d8af2f4fbec2539c256e638496e8c57cd18e2f5cbefe204d3770d089
-
C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\freebobux.batMD5
202d76eb2952aeb2e241c13defe48045
SHA134e26a3407288c7ea63bd1cd305c27b06b163386
SHA2569d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab
SHA5126a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3
-
C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\x.vbsMD5
ab30794d761af418b216eab48d003536
SHA1edd4c2f1813c70cb8739b5c3b8efa425072a4911
SHA256a6154ba12e45de717c0f6cef752c68897ac80438d1ad60750b258f1d35a39e25
SHA51296214a59bd691d2210a758d1679e2db7e6b186c2f0b8bd9a4286ea3a8aeaa1f35632c6c078371bf474e7dffca9e23bd0d6cc4e9c0c114c883ab3374be81f291d
-
memory/552-2-0x0000000000000000-mapping.dmp
-
memory/1456-9-0x0000000000000000-mapping.dmp
-
memory/3928-5-0x0000000000000000-mapping.dmp
-
memory/3928-8-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB